Black Hat attendees warn of impending Mac OS X hacker doom

Mac OS X may be mostly free of malware, perhaps due in part to its smaller …

Mac security researcher Dino Dai Zovi revealed a significant vulnerability in Mac OS X today at the Black Hat conference taking place in Las Vegas this week. He and other Mac security experts warn that Mac OS X could prove to be an easy target if hackers were to shift significant resources to exploiting any of its security flaws.

Dai Zovi detailed a technique that he calls "Machiavelli," which can be used to grab data, even if it is encrypted. Specifically, it relies on an exploit of Safari, the most common attack vector for Mac OS X. "There is no magic fairy dust protecting Macs," he told Reuters in an interview.

Dai Zovi's colleague, Charlie Miller, agrees. "[Apple is] advancing. Our concern is that they are just not advancing as fast as they are gaining market share," he said. Miller co-authored The Mac Hacker's Handbook with Dai Zovi, and is well known for his exploits of Safari which has helped him win the Pwn2Own contest multiple times. Miller is also expected to detail an SMS vulnerability in the iPhone OS at Black Hat today.

While Mac OS X has been nearly free of malware since its introduction, it isn't invulnerable to security problems. Apple has improved its response to security exploits, issuing multiple patches every year. And Snow Leopard is expected to include a number of improvements to overall OS security—another reason to encourage rapid adoption of the $29 OS upgrade expected to ship this fall.

But that doesn't mean Mac users should be care-free about security. "When the malware authors put out something that's really sophisticated we are going to have a whole population that is really vulnerable," Joel Yonts, an expert in Mac security also attending Black Hat, told Reuters.

If Apple continues to grow its market share—which is hovering around 9 percent these days in the US, and about 4 percent globally—the platform could become a more enticing target for malware writers, particularly given the general lackadaisical attitude most users have towards security. The sky isn't yet falling, but users should be aware of security issues and be prepared to protect themselves accordingly.